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Abstract 

Hierarchical access control is an important and traditional problem in informa- 
tion security. In 2001, Wu et.al. proposed an elegant solution for hierarchical 
access control by the secure-filter. Jeng and Wang presented an improvement of 
Wu et. al.'s method by the ECC cryptosystem. However, secure-filter method 
is insecure in dynaminc access control. Lie, Hsu and Tripathy, Paul pointed 
out some secure leaks on the secure-filter and presented some improvements 
to eliminate these secure flaws. In this paper, we revise the secure-filter in 
Jeng- Wang method and propose another secure solutions in hierarchical access 
control problem. CA is a super security class (user) in our proposed method 
and the secure-filter of Ui in our solutions is a polynomial of degree -I- 1 in 
/i(^) ^ ^ hi){x — fli) • • • (a; — a„.) -f Li.{Ki). Although the degree of our 
secure-filter is larger than others solutions, our solution is secure and efficient 
in dynamics access control. 

Keywords: Hierarchial access control, Key management. Secure-filter, 
Dynamic access control, ECC. 



1. Introduction 

The access control problems in a computer (communication) system are 
structured as a user hierarchy. Under such a hierarchy, the users and their 
own data are organized into a number of disjoint set of security classes and 
each user is assigned to a security class called the user's security clearance. Let 
S — {ui, -U2, • • • , Un} be a set of n-disjoint security classes. Assume that "<" is 
a partial ordering on S. In (S, <), Uj < Ui means that the user Ui has a security 
clearance higher than or equal to the user Uj in the security class (£',<). In 
other words, the user Ui can read the information items which belong to the 
user Uj , but Uj cannot read the data which belong to Ui in this partial ordering 
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system. Uj is called the successor of ui and Ui is called the predecessor of uj if 

Uj < Ui. 

The first solution of hierarchical access control problem is developed by Akl 
and Taylor[lj in 1983. They assigned a public integer U to each security user 
Ui with the property that ti\tj iff Uj < Ui. The central authority (CA) in their 
scheme assigned a security number Kq and the cryptographic key for Ui is com- 
puted by Ki = Kq (mod p) where p is a large prime number. The predecessor 
Ui of Uj can obtain the cryptographical key Kj by 

K, = {K'o^)'^ = {K,fi{modp). (1) 

Obviously, the user Ui can obtain Kj for some user Uj if and only if Ui is a 
predecessor of Uj, that is Uj < Ui. However, the size of the public information 
ti will grow linearly with the number of security classes in Alk and Taylor's 
scheme. Hence, MacKinnon et.al.[l3] and Harn et.al.Q] presented different key 
assignment schemes to improve Akl and Taylor's method, respectively. However, 
all secret keys must be re-generated when a security class is added into or deleted 
from the user hierarchy in these methods. The dynamic access control problems 
cannot be efficiently solved. 

Since then, several solutions 0,0,0] have been proposed to archive the target 
of the dynamic access control problem in hierarchy by keeping the size of public 
information as small as possible. However, these approaches are inefficient if the 
user with a high security of his successor without an immediate one. In 1995, 
Tsai and Chang [l3| presented an elegant key management scheme based on the 
Rabin public cryptosystem and Chinese remainder theorem. Their method is 
efficient in the key-generation and key-derivation processes, but a group of secret 
data is required to be held by each security class. 

Recently, Wu et.al.[l3] proposed a novel key management scheme by the 
secure-filter function to solve the dynamic access control problems. The secure- 
filter function that Wu et.al. used is defined as 

Mx)^Y[{x~gp)+K, (2) 
t 

for all Ui < Ut where St is the secret number of Ui and gi is a public random 
integer chosen by Ui (see Q for further details). In 2006, Jeng and WangQ 
presented an efficient solution of access control problem in hierarchy by com- 
bining the secure-filter and ECC cryptosystem. The secure-filter in Jeng- Wang 
method is given by 

Mx)^Y[{x-A{n,Pt))+K, (3) 
t 

for all Ui < Ut where A is a function from an elliptic group to Z* (see Q for the 
details ). The major advantages of Wu et.al's and Jeng- Wang schemes were to 
solve the dynamic key management efficiently. Both of them are not necessary 
to re-generate keys for all the security classes in the hierarchy when the security 
class is added into or deleted from the user hierarchy. 
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In 2009-2011, Lin and Hsu[l,Q pointed out a security leak of the Jeng-Wang 
method. To ehminate this security flaw, Lin and Hsu revised the secure-fiher 
to 

M^) = ~ Hr\\A{n,Pt))) + (4) 

t 

for all Ui < ut, where h is an one-way hash function and r is a random number. 
Lin-Hsu scheme is an effective secure method to overcome the security leak of 
Jeng-Wang method. However, this method must be re-computed the secure- 
filter fi for each i when an user is added into or deleted from the hierarchy^. 
Tripathy and PauUll] also proposed another attacked method on Jeng-Wang 
method in dynamic access control problem in 2011. 

In this paper, we propose a novel secure-filter to overcome Lin-Hsu and 
Tripathy-Paul attacks. In our method, the CA needs to choose two addition 
random integers. One is a secure number rii and the other is a public number 
hi. We choose the secure-filter as 

U{x) ^{x- Ih) ■ {^{{x - iKPt)) j + Li^K,) (5) 

where L/. is the cyclic ^i-shift operator. Our proposed methods eliminate all 
security fiaws of secure filter in Jeng-Wang method that we know and is efficient 
in dynamic access control. 

In section 2, we introduce Wu et.al. and Jeng-Wang key management 
schemes, the security leaks of Jeng-Wang method and Lin-Hsu improvement. 
We propose our method in section 3 and discuss the dynamic access control 
problem in section 4. 

2. Preliminaries 

Let S = {ui,M2,-- - ,u„} be a set with a partial ordering "<". m < Uj 
means that the user Uj has a security clearance higher than or equal to u^. For 
simplicity, Ui < Uj means that the user Uj has a security clearance higher than 
Ui and Uj is called a strictly predecessor of u;. Denote the set of all strictly 
predecessors of Ui by Si = {uj\ui < Uj, Uj G S} . 

Definition 1. fl^] The secure-filter on K with respect to T, ^ {si\si G Zp,0 < 
i < n ~ 1} is a polynomial f with the indeterminate x over a Galois field GF{p) 
such that if s € T,, then f{s) = K{mod p) where p is a public large prime. 

In Jeng-Wang and Wu et.al. s' methods, CA publishes these coefficients 
an,_i, a„_2, • • • , oo of the general form of /, 

f{x) = x" + an^ix"~^-\ \-aix + ao. (6) 
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2.1. Two solutions of hierarchical access control problems 

Now, let us introduce Wu et.al and Jeng et.al.s' methods roughly. 

Wu et. al.'s scheme (l4j : 



Key generation phase 



1, 
2, 
3 

4, 



Choose distmct secret integers Si G lip, < i < n — I. 
For each Ui E S do step 3-5 
Determine the set Si — {g^^^ \uj € Sj}. 
Set 




= naes.(2:-a) + -^i 



if 5*4 = 



(7) 



5. Assign Si, f/i and all coefficients of the general form of /i to uf, 
Ui keeps Si and Ki private, and makes {fi,gi) public. 

Key derivation phase - 

Consequently, the predecessor Uj of Ui can compute g^^ from his 
secure number sj and the public number gi. Then the user Uj obtain 
the cryptographic key Ki by /i(g,f')- 

Jeng- Wang method : 

Initialization phase - 

1. CA randomly choose a large prime p, and a, 6 G Zp with Aa^ + 
276'^ mod p ^ 0. There is a group of elliptic curve Ep{a, b) over 
a Galois field GF{p) that contains a set of points {x,y) with 
x, y G Z* satisfying = + ax -\- 6(mod p) and a point O at 
infinity. Let G G Ep{a, b) be a base point whose order is a large 
prime q. 

2. CA selects an algorithm A : {x,y) ^ v for representing a point 
(x, y) on Ep{a, b) as a real number u. 

3. CA publishes (p, q, ^, E, G). 

Key generation phase - 

1. CA determines its security key rica G 1q and publishes the public 
key Pea = ncaG. 
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2. Each security class Ui chooses its encryption key Ki, a secret key 
rii G Ijq and a pubHc key Pi = riiG. 

3. Ui chooses a random integer k and encrypts {Ki,ni) as a cipher- 
text {kG, {Ki,ni) + kPca}, and sends this ciphertext to CA. 

4. CA decrypts {kG, {Ki, ni) + kPca} to obtain {Ki, rii) by the equa- 
tion 

{K„ n,) = {{K„n,) + kP,a) - n,a{kG). (8) 

5. CA generate the secure- fiher 

r {x-A{nlP,))■■■{x^A{nN,P^)) + K, 



key derivation phase - 

When Uj is a predecessor of Ui, Uj can use the secure key Uj, the pub- 
lic key Pi and the public secure-filter fi to derive Ki = fi{A{njPi)). 



if S'j = (/) 
(9) 



2.2. Two attacks on Jeng-Wang method 

Both of above solutions are secure in a static hierarchical system, it means 
that no user is added into or deleted from S. However, these schemes are 
insecure when a user joins or removes from the hierarchy. Two different attacks 
on Jeng-Wang method have be presented. We discuss these attacks on the Jeng- 
Wang method (and the Wu et. al.'s method) in this subsection. For simplicity, 
we denote the secure- filter fi{x) of a security class Ui as 

fi{x) ^ {x - Q,i)(a; - Ci,2) ---{x - Ci^N,) + Ki. (10) 

The value Ci,j plays the same role as g'l^ in Wang et. al.'s scheme or A{njPi) in 
Jeng-Wang method. 

Lin-Hsu attack d, 0| : 

Without lose of the generality, we only consider the situation that there is 
a new security class joining in hierarchy. Let Ui be a security class (user) 
in S, Si = {uj\ui < Uj and uj G S} be the set of strictly predecessors of 
Ui and ujv be a new predecessor of Ui . Assume that 

fi{x) = {x- Ci^i){x - C,;,2) ■ • • (X - Ci^ArJ + Ki 

is the secure-filter of Ui in the original hierarchy and 

fi{x) = (x - CiA){x - Ci,2) • • • (x - Ci^Nj{x - Ci,Ar) -|- Ki 

is the new secure- filter in the new hierarchy after ujv is inserted. 
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One has 



Mx) - fi{x) = (x - c.,,i){x - Ct,2) • • • (a; - Ci,Ni){x - Ci,n - !)• (11) 

Obviously, Ci^i ■ ■ ■ Ci^N- are the solutions oi fi{x)^fi{x) = 0. The adversary 
can obtain Cij for some j e {1, 2, • • • , Ni} by solving the equation {fi — 
fi){x) = 0, and then get the encryption key Ki of Ui by fi{cij) or fi{cij). 

Tripathy-Paul attack [Tl| : 

In 2011, Tripathy and Paul pointed out another attack on Jeng-Wang 
method. With the assumptions in Lin-Hsu attack, the general form of the 
secure-filters fi{x) and fi{x) are 

fi{x) = x'^' + aAT.^ix^'-i -I- ■ • • -I- aix'^ + ao (12) 

and 

Mx) = x^-+' + Pn,x^^ + ■■■ + Pix^ + /3o, (13) 
respectively. Since 

PNi = Ci,i -I- Ci^2 H V- Ci^N, + Ci,Af, 

and aj , /3fc for each j, k are public information, the adversary can obtain 
Ci,N by subtracting /Sa?. from a^i-i, and the encryption key Ki = fi{ci^N)- 

2.3. Lin-Hsu improvement 

Lin and Hsu [1, Q presented an improvement of Jeng-Wang scheme. They 
used a random number r and an one-way hash function h{-) replacing {A{njPi)^ Ki) 
in Jeng-Wang scheme with {h{r\\A{njPi)), Ki). That is, the value in Eg. pH)) 
for each j should be changed when a security class is added in or deleted from 
in hierarchy. This implies that A{njPi) is not solution of fi{x) — fi{x) — any- 
more. Hence, this method eliminates the security flaw on Jeng-Wang method 
effectively (see d, |1] for the details). 

3. Our proposed method 

First, let us introduce some definitions and properties of the cyclic ^-shift 
operator. 

Definition 2. Let b he a positive integer greater than 1. The radix (base) b 
expansion of a positive integer k is a unique expansion of k as 

k = k^n+ib"" + + ■ ■ ■ + k2b + ki (15) 

where ki € {0, 1, ■ • • ,6 — 1} for each i and fcm+i 7^ 0. This expansion is written 
as {km+ikm ■ ■ ■ ki)b. The integer ki is called the i-th coefficient of the radix b 
expansion of k, whereas fcm+i *s the leading coefficient of the radix b expansion 
ofk. 
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Definition 3. Let b he a positive integer greater than 1 and I he an integer. 
The cyclic l-shift operator Li{-) based on b is defined by 

m 

Li{k) = {km+lka>{m)K'{m-l) ' ' " ka'{l))b = km+lb'^ + ^ (i)b''~'^ , (16) 

i=l 

where {km+ikm ■ ■ • ^1)6 is the radix b expansion of n and cr = (1, 2, ■ • • , m) is 

the m- cyclic in the symmetric group Sm of degree m. 

Example 1. Ifb = 10, then Li{21M9) = 23491, ^2(21349) = 24913, L3(21349) = 
29134 and L4(21349) = 21349. 

Ifb = 2, then Li((11110)2) = (11101)2, L2((11110)2) = (11011), L3((11110)2) = 
(10111)2 and L4((11110)2) = (11110)2. 

Proposition 1. Let b be a positive integer greater than 1 and p be a positive 
integer greater than b with the radix b expansion {pm+iPm ■ • ■Pi)b- Suppose k 
is a positive integer less than p and there exists m + 1 nonncgative integers 
km+i,km, ■ ■ ■ ,ki less than b such that k = X^™^^ kib^~^ . We still denote it by 
{km+ikm ■ ■ ■ki)b and km+i may be zero. 
Ifkm+i <Pm+i, one has 

Ll{k) = {km+lkal{m)ka>{m-l) ' ' ' kal{l))b < P- (17) 

Furthermore, if k € Z*, then 

L_i{Li{k)) = k (18) 

in Z;. 

Proof. Since ^ k„i(^i-^V~^ < and km+i < Pm+i, one has 

Li{k) = km+ib"" + ka'(i)b'-' < km+ib"" + 6"^ < pm+ib"" < p. 
This implies that 

Li{k) = ikm+lkal{m)ka'im-l) ' ' ' (^^^ P)' 

Hence, 

L-l{Li{k)) = L_i{{km+lk„'{m)ka'im-l) ' " ' kai{l))b) = {km+lkm ■ ■ ■ ki) 

in Z;. □ 

Remark 1. In general, L^i{Li{k)) may not be equal to k in Z* even if k < p. 
For instance, if b — 10, p = 239, / = 1 and k — 235. Then 

L_i(Li(235)) = L_i(253 mod 239) = L_i(014) = 41 

in Z239. 
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Now, wc discuss our solution of the access control in hierarchy. In our 
method, CA is a super security class which should choose a secrete integer hi 
and a public integer li for each secure- filter /j. Let Li{x) be a cyclic Z-shift 
operator. Then the secure-filter in our proposed method is given by 

fi{x) = {x- hi){x - ai,i) ■■■{x- ai^Ni) + Ui{Ki) (19) 

where ai,j plays the same role as A{njPi) in Jcng-Wang method. 

Method 1: (Revised Jeng-Wang method) 



Initialization phase - 



1. CA randomly chooses a small positive integer d greater than 1, a 
large prime p, and a,b gZ* satisfying that 4a'^ + 276^ mod p ^0 
Let Ep{a, b) be an elliptic curve = x^ + ax + b (mod p) over a 
Galois field GF{p) containing a set of points (x, y) with x,y E Z* 
and a point O at infinity. CA selects a base point G of Ep{a, b) 
whose order is a large prime q. 

2. CA selects an algorithm A : {x, y) v, for representing a point 
(x,?y) on Ep{a,b) as a real number v. 

3. CA publishes {d,p,q,A,E,G). 

Key generation phase - 



1. CA determines its security key Uca G Z* and publishes the public 

key Pea = TlcaG. 

2. Each security class Ui chooses a secret key rij G Z* , a public 
key Pi = riiG and its encryption key Ki such that the leading 
coefficient of the radix d expansion of Ki is less than the leading 
coefficient of the radix d expansion of p and all coefficients of the 
radix d expansion of Ki are not all equal. 

3. Ui chooses a random integer k and encrypts {Ki,ni) as a cipher- 
text {kG, {Ki,ni) + kPca}, and sends this ciphertext to CA. 

4. CA decrypts {kG, {Ki, ni) + kPca} to obtain {Ki, Ui) by the equa- 
tion 

{K,, n,) = {{K„ n,) + kP^a) - nea{kG). (20) 

5. CA randomly choose a secret integer hi and a public integer li. 

6. CA generates the secure- filter 

fi{x) = {x- h,){x - A{n,Pi)) • • • (x - A{nN,Pi)) + Li,{Ki) 
= nu,^sS^-MnjPi)) + Li,{Ki) 

(21) 

and publishes it. 
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Figure 1: A hierarchy (S, <). 



key derivation phase - 

When Uj is a predecessor of u^, Uj can use the secure key n^, the 
public key P, and the pubhc secure-filter fi to derive Li.{Ki) = 
fi{A{njPi)). Finally, Uj obtain the cryptographic key — L^i.{Li.{Ki)) 
by Proposition [T] 

Example 2. In Fig. [7J the user set has 5 security classes denoted as S = 
{ui, ■ ■ ■ , U5}. The secure-filter of Ui in our method forms as 

fiix) = {x - hi) Y[{x~ A{njPi)) + Li^{Ki). (22) 

For simplicity, we denote A{njPi) as Oij here and after. All secure-filters in 
the hierarchy S are 



(23) 



3.1. Security analysis 

When a new predecessor of Ui is added in hierarchy, the secure-filter of 

Ui, 

fi{x) = (x - h^){x - Qi^i) ■■■{x - tti^Ni) + Li.{Ki), (24) 

becomes 

fi{x) = {x - h.i){x - Oi^i) ■■■{x - a.,,N^) -f Lj,{Ki). (25) 

Because hi,hi,li and li can randomly be chosen by CA, we may assume 
hi ^ hi and Li.{Ki) ^ Lj(Ki). Therefore, Oi^i ■ ■ ■ ai^jsf. are not the solutions 
of fi(x) — fi(x) — and Lin-Hsu attack fails. By comparing the coefficients of 
XNi, XNi-i of fi{x) and the coefficients of a;Ar;+i, a;Ar; of fi{x), one has 

"AT, = a.j_i + ai,2 -\ h fli.TVi +hi ^ ^2g-j 

PNi+i — o,i,i + ai,2 + • ■ ■ + ai,N. -\- ai,N + hi 



ui : 




= 








U2 : 


f2{x) 


= (x- 


h2){x 


- 02,1) + 


L1AK2) 


U3 : 


fsix) 


^{x- 


hz){x 


- a3,i) + 




U4 : 




^{x- 


/l4)(x 


- a4,i)(a; 


- Oia) + L^{Ki) 


U5 : 


hix) 




h^)(x 


- az,i){x 


- a5,2)(a; - 05,3) + 
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and 

Pn, = Yls^t o-i-s^i^t + {ai,N + hi){Y,g ai.s) + o-i.Nhi 

where 1 < s, i < Ni. 

Eq.® and Eq.d!?]) imply 

Pni+i — ctNi — aj.w + hi — hi 
Pn, - ctNi-i = {ai,N + - hi){Y^ ai,s) + ai^Nhi. 



(27) 



(28) 



Consequently, 

/3Af. - OiN,-i = (/^AT.+i - aArJ(Q;Ar, - hi) + a.^Nh^, (29) 

that is, 

ai,Afft-i - (^AT.+i - aN,)hi = {Pn, - OLN.^i) - {Pn,+i - aN,)aN,- (30) 

Eq.pO|) is a nonlinear equation with indctcrminates ai^N,hi and hi and it is 
hard to solve in Z*. 

3.2. Dynamic key management 

An efhcient method for updating the secure- filter is the main task in dynamic 
access control of our proposed methods. Before discussing the problems of 
dynamic key management, we introduce some properties for our secure-filters. 

Theorem 1. Let 

f{x) = (x - ai){x - a2) ■ • • (x - a„) + Ki (31) 



g{x) = (x - ai){x - 02) • • • (x - a„)(a; - a„+i) + K2 (32) 

be two polynomials in Z*. Immediately, we have f{x) — ^^^'^^ ^^-^ + Ki or 
g(x) (x - a„+i)(/(x) - Ki) + K2. 

V f{^) — SiLo*^'^* '^"■'^ — '^^i=o f^i^^ ! then we have 



1 if j = n+\ 

aj-i-On+iaj i/ j e {2, 3, • • • ,n} 

ao - On+iai - Ki if j = I 

{K2 - Ki) - a„+iQ!o if j ^0 



(33) 



or 



1 ifj^n 
"j" = "( ^j+i a„+iaj+i i/j e {1,2,--- ,n- 1} (34) 
^1 -I- a„+iai -I- i^l ifj^O 
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Proof. One has 

g{x) = (x - a„+i) n"=o(^ ~ "0 + -^2 
= ix-an+i){f{x)^Ki) + K2 

= (a; - a„+i)(Q;„x" + a„_ia;""^ \- aa - Ki) + K2 (35) 

= Q;„a;"+i + (a„_i - a„+iQ;„)a;" H h (ai - a„+iQ;2)a;^ 

+ (q;o ~ Ki~ an+iai)x + K2 - a„+i(Q;o - ifi). 



Comparing the coefficients of each terms of f{x) and g{x), we obtain Eq.(j33]) 
and □ 

Corollary 1. Let f{x) — {x — hi)[x — oi) ■ ■ ■ {x — an) + Ki he a polynomial of 
degree n + 1 in 1,* and ai be the coefficient of the term x^ of the general form 

of f{x). Hence, f{x) = J27=a ^i^' ■ 

If g{x) — {x ~ h2){x — fli) ■ ■ ■ {x — an){x — a„+i) + K2 is a polynomial of 
degree n + 2 in Z* then the coefficient jSj of x^ of g{x) can be computed by the 
formulas in Theorem]^ 

Proof. Since 



g{x) = (x - a„+i) I [x ~ /12) 



{x - hi) 



i)\+K2 



Hence, the coefficients of Gi{x) = '^('jfl/,^^ +0 can be estimated by Ea. ([M|) . and 
the coefficients of G2{x) — {x — h2){Gi{x) — 0) + 0) can be estimated by Eq. (|33|) . 
Finally, we obtain the coefficients of g{x) = {x — a,i+i) (6*2(2;) — 0) + K2 by the 
Eq.®. □ 

Corollary 2. Under the same assumptions in Corollary [IJ // h{x) = {x — 
h3){x — ai) ■ ■ ■ {x — a„_i) + A'3 is a polynomial of degree n, then the coefficient 
of x^ of h(x) can be obtained by Theorem]^ 

Proof. Since 

'f{^)~Ki 



h{x) = (a; - /13) 



{x - hi) 



{X - On) 







the coefficients of Hi (x) ~ — ~ can be evaluated by Eq. (p4l) , the coefficients 
oiH2{x) ~ ^^'f^'" can be computed by Eq. ([M)) . And we obtain the coefficients 
of h{x) = (x - hl){H2{x) - 0) + i^s by Eq. 1^. □ 

Inserting new security class: 

Assume that a new security class Ur is inserted into the hierarchy such 
that Ui < Ur < Uj. 

1. Determine the secret information u^., Kr,nr, hr, the public informa- 
tion Pr,lr and the public secure-filter fr{x) by the steps 2-6 in key 
generation phase of our proposed method. 
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Figure 2: A new security class uq is inserted into the hierarchy (5, <). 

2. For each Ug < Ur (i.e. the strictly successor of Ur) 

(a) Update the secret number hs and the pubhc number Is- 

(b) Update the secure-fiher fs{x) of by Corollary [TJ 

Removing existing security classes : 

Assume that an existing member Ur is removed from a hierarchy (5, <) 
and Sr = {us\ur < Us} is the set of all strictly predecessors of Ur- 

1. For each strictly predecessor Us of Ur, 

(a) CA chooses a new secret number hs and a new public number Is 
randomly. 

(b) Update the secret filter fs by Corollary [2] 

2. Delete the security class Ur from the hierarchy (S*, <) and discard the 
secret and public information of Uj.. 

Example 3. In Fig. a new security class uq is inserted into the hierarchy S 
in Fig. [l\such that < uq < ui. The secure-filter of uq is 

fdx) ^ {x- he){x - aej) + Li^{Kf,). (36) 

Since u^ is the only strictly successor of uq , CA only needs to update the secure- 
filter of Ui. Assume that CA chooses a new secrete number hi and a public 
number I4 randomly. After uq is inserted, the secure-filter of M4 becomes 

fi{x) ^{x - hi)(x - ai,i){x - a4,2)(a; - 04,5) + Lj^iK^). (37) 

Now, let us compute the coefficients of this new secure-filter in Eq. ^37^ from the 
original secure-filter, {x — hi){x — a4,^i){x — 04,2) + L^iKi), by Eqs. \33\) and 
(3^. Assume that 

3 

(x - h4){x - a4:,2){x - 04,1) + Li^{Ki) = '^a\x\ (38) 

i=0 
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1. Using Eq. the coefficients of the indeterminate x of 



(x - a4_i)(x - 04,2) + ^ 



'x' 



i=0 



can be obtained by 



2. Using Eg. 



2 



~{a4,i + 04^2) = al + hia\ 
ag = 04,104,2 = a} + — h/^al 



, CA computes the coefficients of 



(39) 



(40) 



{x — hi){x — ai,i){x — 04,2) + = a 



1=0 



"3 =1 

ttj = —(04,1 + 04,2) — /i4 = — /i4Q;2 

= 04,104,2 + ^4(04,1 + 04,2) = a§ — h^ai 
Uq = —/14O4, 104,2 = —h^aQ + 0. 

again, the coefficients of 



3. Using Eq. 

{x - h4){x - 04,i)(a; - 04,2)(a; - 04,5) + Li^{K4) = ^1 



4„j 



(41) 



(42) 



(43) 



are 



4 



ttg = —(04,1 + 04,2 + /14) — 04,6 = a2 — 04,603 

a2 = (04,104,2 + ft.404,1 + ^.404, 2) — 04,6( — ft.4 — 04,1 — 04^2) = Q!i — 04,6(32 
af = —/l404, 104,2 — 04,5(04,104,2) + /l404,l + ^1404,2) = — 04,6ai 
=04,104,204,6^4 + ^^^(^^^4) = 04,6Q;i] + L^^(L_;4(L;^(ii:4))). 

(44) 

4. Finally, CA updates the secure-filter ofu^ as the coefficients {ctg, a\, ■ ■ ■ , q;|}. 

Example 4. /n Fii?. let U3 6e removed from the hierarchy {S, <) so that the 
relationship U5 < U3 < ui breaks up. CA removes all information related to U3 
and choose four random numbers /14, 14, /15 and I5. CA replaces the secure-filter 
ofu5 by 



f^{x) = (a; - h^)[x - 05,i)(a; - 05,2) + Lj^^iK^). 



(45) 



Assume that {x - hrf){x ~ 05,i)(a; - 05,2)(a; - 05,3) + Li^{Kz) = J2i=o Pl^'' ■ 
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Figure 3: An existing member U2 is removed from the hierarchy (S, <). 



1. The coefficients of {x — a^.i){x — a^.2){x — 05^3) + = J2i=oPi^'' ^'^^ 

(46) 



Pi =1 



P'o =Pl-h5{Pl) + 



2. The coefficients of {x — a5^i){x — 05,2) + = X]?=o Pf^^ '^'^^ 

PI =1 

Pf =/3| + a5,3/3| (47) 
PI =/3? + a5,3/3?. 

3. The coefficients of {x — /i5)(a; — a5^i){x — 0^,2) + Li^{K^) are 



Pt =1 

/3| =Pl~h,Pl 

Pt =Pl-0-h,l3f 

/34 = -/i5(/33 -0) +Lr (L„,,(Li,(X5))). 



4. Then, CA publishes these coefficients /3q, • • • 



(48) 



4. Conclusion 



Our proposed method in this paper is a secure solution of access control 
in hierarchy and the scheme of dynamic key management is very simple and 
efficient. Furthermore, Wu et.al.'s method becomes a secure method under our 
secure- filter. 
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Method 2: (Revised Wu et. al. method) 



Key generation phase - 

1. Choose distinct secret integer Si € Zp, < i < n — 1. 

2. CA chooses a small integer d greater than 1 and publishes d. 

3. For each Ui € S do step 3-5 

4. Determine the set Ej = {g'^' \uj G Sj}. 

5. CA randomly choose a secret integer hi and a public integer k. 

6. Determine the encryption key Ki such that the leading coefficient 
of the radix d expansion of Ki is less than the leading coefHcient 
of the radix d expansion of p and all coefficients of the radix d 
expansion of Ki are not all equal. 

7. Set 

fi{x) = (x - h,){x - gt°){x - 5f ) . . . (x - + Li,{Ki) 
= {^-h^)■Uaes^^-^)+Lh{Ki) 

(49) 

8. Ui keeps s, and Ki private, and makes {fi,gi,li) public. 

Key derivation phase - Consequently, the predecessor Uj of Ui can 
compute g^' from his secure number Sj and the public number gi. 
Then the user Uj obtain Li.{Ki) by fi{gl^) as well as the crypto- 
graphic key ii'i by acyclic — Zj-shift operatorL_; . , Ki = L-i.{Li.{Ki)). 
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